Submit #623636: tcpreplay tcpprep tcpreplay version 6fcbf03 (the newest master in https://github.com/appneta/tcpreplay) Heap Buffer Overflowinfo

Titletcpreplay tcpprep tcpreplay version 6fcbf03 (the newest master in https://github.com/appneta/tcpreplay) Heap Buffer Overflow
Description# TCPPREP Heap Buffer Overflow Vulnerability in our_safe_strdup Function ## Vulnerability Summary During fuzzing, a critical heap buffer overflow vulnerability has been discovered in the tcpprep utility from the tcpreplay suite. The vulnerability occurs in the `mask_cidr6` function within `cidr.c` at line 228, but is triggered through a different path involving `our_safe_strdup` in `utils.c` at line 90. This leads to an out-of-bounds read operation that can cause memory corruption and program crash. ## Technical Details - **Vulnerability Type**: Heap Buffer Overflow - **Affected Function**: `mask_cidr6` (root cause in `our_safe_strdup`) - **Source File**: `cidr.c` / `utils.c` - **Line Number**: 228 / 90 - **Signal**: SIGABRT (6) ## Vulnerability Mechanism and Root Cause This heap buffer overflow vulnerability is caused by insufficient bounds checking in the string duplication and IPv6 CIDR mask processing logic. The root issue lies in the interaction between `our_safe_strdup` and `mask_cidr6` functions where the program attempts to read beyond the allocated memory boundaries when processing malformed IPv6 addresses. The vulnerability occurs when: 1. Memory is allocated via `our_safe_strdup` in `doOptInclude` at line 1435 for a 2-byte string 2. The string is passed through the processing chain but contains insufficient data for IPv6 processing 3. `mask_cidr6` at line 228 attempts to read 1 byte from address 0x602000000032, which is located 0 bytes after the 2-byte allocated region [0x602000000030,0x602000000032) This vulnerability is distinct from other mask_cidr6 issues due to its specific allocation pattern and memory layout characteristics. ## AddressSanitizer Report ``` ================================================================= ==2174096==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x602000000032 at pc 0x562fc4b883f1 bp 0x7ffd876a9c70 sp 0x7ffd876a9c68 READ of size 1 at 0x602000000032 thread T0 #0 0x562fc4b883f0 in mask_cidr6 /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/common/cidr.c:228:9 #1 0x562fc4b883f0 in parse_cidr /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/common/cidr.c:256:5 #2 0x562fc4b92714 in parse_xX_str /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/common/xX.c:89:14 #3 0x562fc4b722e5 in doOptInclude /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpprep_opts.c:1438:38 0x602000000032 is located 0 bytes after 2-byte region [0x602000000030,0x602000000032) allocated by thread T0 here: #0 0x562fc4b3222e in malloc (/workspace/benchmark/tmp/need-ana/fz-tcpprep/tcpprep+0x10722e) #1 0x562fc4b92ca1 in our_safe_strdup /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/common/utils.c:90:27 #2 0x562fc4b72261 in doOptInclude /workspace/benchmark/program/tcpreplay-6fcbf03-Jul13-2024/src/tcpprep_opts.c:1435:15 ``` ## Proof of Concept The vulnerability can be triggered by processing the malformed configuration file provided as `POC_tcpprep_heap_buffer_overflow_our_safe_strdup`. This file contains specific include rules that cause the heap buffer overflow condition through the our_safe_strdup allocation path. **POC Download**: [Google Drive Link - POC_tcpprep_heap_buffer_overflow_our_safe_strdup](https://drive.google.com/file/d/1Sm4H_qcCl-otKja1AvzmYVPTgC2O-Sbl/view?usp=sharing) ## Reproduction Steps 1. Compile tcpprep with AddressSanitizer enabled 2. Execute: `tcpprep --load-opts POC_tcpprep_heap_buffer_overflow_our_safe_strdup` 3. The program will crash with a heap-buffer-overflow error ## Affected Versions tcpreplay version 6fcbf03 (the newest master in https://github.com/appneta/tcpreplay) **Credit** - Xudong Cao (UCAS) - Yuqing Zhang (UCAS, Zhongguancun Laboratory)
Source⚠️ https://github.com/appneta/tcpreplay/issues/959
User
 nipc-cxd (UID 88335)
Submission07/27/2025 09:11 (11 months ago)
Moderation08/14/2025 07:50 (18 days later)
StatusDuplicate
VulDB entry320080 [tcpreplay 4.5.1 tcpprep cidr.c mask_cidr6 heap-based overflow]
Points0

PreviousOverviewNext

Might our Artificial Intelligence support you?

Check our Alexa App!